Pulse Connect Secure

Release Notes
PCS 8.2R4.1 Build 48385

Release, Build
Published
Document Version
 Pulse Connect Secure Release Notes

INTRODUCTION .................................................................................................................................................... 3
HARDWARE PLATFORMS ..................................................................................................................................... 3
VIRTUAL APPLIANCE EDITIONS .............................................................................................................................. 3
UPGRADE PATHS ................................................................................................................................................... 4
GENERAL NOTES .................................................................................................................................................... 4
FIXED ISSUES IN CURRENT (8.2R4.1) RELEASE........................................................................................................ 5
NEW FEATURES IN 8.2R4 RELEASE ....................................................................................................................... 5
FIXED ISSUES IN 8.2R4 RELEASE ............................................................................................................................. 6
KNOWN ISSUES IN 8.2R4 RELEASE ......................................................................................................................... 6
NEW FEATURES IN 8.2R3 RELEASE ....................................................................................................................... 8
FIXED ISSUES IN 8.2R3 RELEASE ............................................................................................................................. 9
KNOWN ISSUES IN 8.2R3 RELEASE ....................................................................................................................... 11
NEW FEATURES IN 8.2R2 RELEASE ..................................................................................................................... 14
FIXED ISSUES IN 8.2R2 RELEASE ........................................................................................................................... 14
KNOWN ISSUES IN 8.2R2 RELEASE ....................................................................................................................... 16
FIXED ISSUES IN 8.2R1.1....................................................................................................................................... 17
NEW FEATURES IN 8.2R1 .................................................................................................................................... 18
KNOWN ISSUES IN 8.2R1...................................................................................................................................... 20
FIXED ISSUES IN 8.2R1 ......................................................................................................................................... 23
DOCUMENTATION .............................................................................................................................................. 24
DOCUMENTATION FEEDBACK .............................................................................................................................. 24
TECHNICAL SUPPORT ........................................................................................................................................... 24
REVISION HISTORY ................................................................................................................................................ 24

© 2016 by Pulse Secure, LLC. All rights reserved 2

 Pulse Connect Secure Release Notes

Introduction
This document is the release notes for Pulse Connect Secure Release 8.2. This document
contains information about what is included in this software release: supported features,
feature changes, unsupported features, known issues, and resolved issues. If the
information in the release notes differs from the information found in the documentation set,
follow the release notes.

Hardware Platforms
You can install and use this software version on the following hardware platforms:

 MAG2600, MAG4610, MAG6610, MAG6611, MAG SM160, MAG SM360

 PSA300, PSA3000, PSA5000, PSA7000F, PSA7000C

To download software for these hardware platforms, go to:

https://www.pulsesecure.net/support/

Virtual Appliance Editions

This software version is available for the following virtual appliance editions:

 Demonstration and Training Edition (DTE)

 Service Provider Edition (SPE)

The following table lists the virtual appliance systems qualified with this release.

Platform Qualified System

 IBM BladeServer H chassis

VMware  BladeCenter HS blade server
 vSphere 6.0.1, 6.1, 6.2, 5.1, 5.0, and 4.1

 ESXi 5.5, 5.5 U3

Virtual SA
 ESXi 6.0

 CentOS 6.6 with Kernel cst-kvm 2.6.32-504.el6.x86_64

 QEMU/KVM v1.4.0
 Linux Server Release 6.4 on an Intel Xeon CPU L5640 @ 2.27GHz
KVM
o NFS storage mounted in host
o 24GB memory in host
o Allocation for virtual appliance: 4vCPU, 4GB memory and 20GB disk space

To download the virtual appliance software, go to: https://www.pulsesecure.net/support/

© 2016 by Pulse Secure, LLC. All rights reserved 3

 Pulse Connect Secure Release Notes

Upgrade Paths
The following table describes the tested upgrade paths.

Release Description

8.2Rx You can upgrade to 8.2R4.1

8.0Rx or 8.1Rx You can upgrade directly to 8.2Rx simply by installing the 8.2Rx update.

Earlier than 8.0Rx or

First upgrade to release 8.0Rx or 8.1Rx; then upgrade to 8.2Rx
8.1Rx

Pulse Secure Desktop

5.2Rx Client Software Refer to the Pulse Secure Desktop Client 5.2 release notes.
Upgrade

Note: If your system is running Beta software, roll back to your previously installed official software
release before you upgrade to 8.2R3 This practice ensures the rollback version is a release suitable for
production.

General notes
1. For policy reasons security issues are not normally mentioned in release notes. To find
more information about our security advisories, please see our security advisory page

2. In 8.2R1.1 and above, all PCS client access binaries (Network Connect, WSAM, Host
Checker, JSAM, Windows Terminal Services, Citrix Terminal Services) are signed with a
SHA-2 code signing certificate to improve security and ensure compatibility with
Microsoft OS’s 2016 restrictions on SHA-1 code signing. This certificate will expire on
Jan 13, 2019.

Important note: Windows 7 machines must contain a March 10, 2015 Windows 7 Update
in order to be able to accept and verify SHA-2-signed binaries properly. This Windows 7
update is described here and here. If this update is not installed (in other words if a
Windows 7 machine has not received an OS update since March 10, 2015), then PCS
8.2R1.1 and later will have reduced functionality (see PRS-337311 below). (As a
general rule, Pulse Secure, LLC recommends that client machines be kept current with
the latest OS updates to maximize security and stability).

3. In 8.2R1 and 8.2R1.1, the Pulse Linux client packages will not be available under the
Admin installer’s page. However, the 8.1R7 Pulse Linux client is compatible with PCS
8.2R1 and 8.2R1.1. The previously downloaded/installed Pulse Linux clients will also
work with 8.2R1 PCS.

4. In 8.2R2, the 8.1R8 Pulse Linux client package (both RPM and Debian packages) are
available under the Admin installers page.

You can also download the Pulse Linux client packages from the Pulse Secure
Licensing and Download Center, under the download section for PCS 8.1R7 and

© 2016 by Pulse Secure, LLC. All rights reserved 4

 Pulse Connect Secure Release Notes

8.1R8.

5. When custom ciphers are selected, there is a possibility that some ciphers are not
supported by the web browser. Also, if any of ECDH/ECDSA ciphers are selected, they
require ECC certificate to be mapped to the internal/external interface. If ECC certificate
is not installed, admin may not be able to login to the box. The only way to recover from
this situation is to connect to the system console and select option 8 to reset the SSL
settings from the console menu. Option 8 resets the SSL setting to its default. So, the
previously set SSL settings are lost. This is applicable only to Inbound SSL settings.

6. Pre-5.0 Android and pre-9.1 iOS devices don’t support Suite B ciphers. So if Suite B is
enabled, Pulse client on pre-5.0 Android and pre-9.1 iOS devices will not be able to
connect to PCS device.

Fixed Issues in current (8.2R4.1) release

The following table lists issues that have been fixed and are resolved by upgrading to this release.

Problem Report Release Note

Number

PRS-343966 Upgrading the installer service does not restart the Pulse UI

New Features in 8.2R4 release

The following table describes the major features that are introduced in 8.2R4 release.

Feature Description

When NDcPP option is enabled, only NDcPP allowed crypto algorithms are allowed.
Device certification 3072 bit key length support
Changes made to be compliant
Device certification revocation check
with NDcPP certification
Client cert auth for syslog certification revocation check.
Note: NDcPP certification is in progress

The Pulse Linux client now supports the following operations to be done through the UI,
Connection management (add/edit/delete connections)
Connect/disconnect to VPN
Pulse Linux client UI
Check VPN status and statistics
Upload logs to PCS
Configure the client log level

© 2016 by Pulse Secure, LLC. All rights reserved 5

 Pulse Connect Secure Release Notes

Feature Description

Pulse Linux client has been qualified to for the following MFA mechanisms,
RSA (software token and hardware token)
Support for multifactor
Duo Security
authentication with Pulse Linux
Safenet
client
But the Pulse Linux should be able to support other MFA methods too as the client uses
web based UI to authenticate into the PCS

Pulse linux client supports the system proxy in the following modes,
Manual configuration
Auth proxy
Support for system proxy in
Pac file configuration
command line mode
In this release, there are some limitations in running the Pulse Linux client in UI mode with
system proxy configured. Command line mode of the client does not have those limitations
and it works.

Fixed Issues in 8.2R4 release

The following table lists issues that have been fixed and are resolved by upgrading to this release.

Problem Report Release Note

Number

PRS-337187 Dsserver tasks issues seen and they are having timeout/disconnect issues for Pulse Mobile

PRS-340595 PCS reports it cannot verify Pulse One certificate despite correct certificate was loaded.

PRS-339030 Some Pulse users are unable to access resources intermittently.

PRS-342088 After 8.2R3 ran a few days without user access, there is a bug causes admin and user unable to login.

Known Issues in 8.2R4 release

The following table lists Known issues in 8.2R4 release.

Problem Report Description

Number

When CA Certificate Policy is set to fail that causes the certificate authentication through other CAs to
PRS-341792
fail.

Adding a connection with duplicate name closes the connection creation window after the warning in
PRS-341773
Pulse Linux client

© 2016 by Pulse Secure, LLC. All rights reserved 6

 Pulse Connect Secure Release Notes

PRS-341921 Pulse Linux client does not automatically reconnect during the network outages.

© 2016 by Pulse Secure, LLC. All rights reserved 7

 Pulse Connect Secure Release Notes

New Features in 8.2R3 release

The following table describes the major features that are introduced in this release.

Feature Description

Previously JSAM component is unable to establish a connection with a backend server

Support proxy Authentication for when a proxy server is present in the middle.
JSAM when using NTLM With this feature, this limitation will be removed and JSAM will be able to handle the
proxy authentication challenge from the proxy server successfully.

Secure Access - Support for

Dual monitor configuration when User should be able to stretch the display into multiple monitors.
using Windows Terminal Admin will be able to configure the option as part of RDP profile selection
Services

RSA SecurID Risk-Based Authentication is a token less, multi-factor enterprise

RSA Risk Based authentication solution that uses risk scoring to determine that users are who they say
Authentication(RBA) support they are while preserving the username and password login experience. Provides a
with PCS Cluster token alternative – token less authentication is a convenient way for your users to
authenticate securely, via a web interface, without the need for a token.

Hyper-V is another hypervisor that we must support as part of extended platform

support for virtual appliances.
Secure Access - Support for
Note: Kernel Watchdog is not supported on Hyper-V platforms. In PCS/PPS, on
Hyper-V hypervisor
Maintenance->system->options page kernel watchdog checkbox is grayed out.
Transition or first step to provide Azure support

Pulse Cloud Secure technology provides secure access to the cloud, while offering
additional benefits. With this PCS release, we are delivering Cloud Secure tech
preview. End user with iOS devices can now connect to enterprise cloud/SaaS
application in a seamless and secure fashion.
Cloud Secure – Solution Tech Following capabilities are available as part of Cloud Secure technologies
Preview  Single Sign On of Cloud Applications like Salesforce, Dropbox with PCS as
IDP through SAML assertion
 Office 365 Single Sign On with PCS as IDP (through SAML ECP support)
 PulseOne as MDM server integration with PCS to provide compliance check
of iOS device during authentication

1. SA Admin, can configure SA as IdP for SAML SSO easily.

2. End users can do SSO in the application without being prompted for
Cloud Secure - SAML changes passwords.
for Secure Access 3. End user can login to end application behind rewritter/PTP on being
redirected from Enterprise Landing Page.

© 2016 by Pulse Secure, LLC. All rights reserved 8

 Pulse Connect Secure Release Notes

Feature Description

This feature provides ability to select specific ciphers and order the ciphers with
preference orders. There is an Inbound SSL option tab as well as an Outbound SSL
Granular Cipher Configuration option tab. The Inbound SSL tab controls all incoming SSL traffic; the Outbound SSL
option controls the outbound SSL connections from PCS: connection to SCEP server,
Syslog server, and rewriter and ActiveSync connections.

This feature allows the end user to create and edit bookmarks and access them over
RDP via HTML5. When an admin enables this feature, the end user can perform the
following:
• Create/Update bookmarks
HTML5 RDP – End User can • Enable/Disable SSO based Authentication
create HTML5 access • Enable/Disable accessing resource operation like file transfer, printing etc.
bookmarks • Select the Encryption type
• Set the remote program options.

Note that creating HTML5 based user bookmarks for Terminal services sessions is not
supported on mobile devices, however end users can create these from a Windows or
Mac machine and access the bookmarks from your mobile device.

Currently support of following applications:

 Policy Server 12.5 SP3/SP4
 VmWare View client 2.X , 3.X
Third Party Applications
 Sharepoint 2013 SP1
Support
 Storefront 3.1 (Beta)
 Windows 10 (Threshold 2)
 OWA 2016 (via Rewriter and PTP)

Enhance UX - Fail open if User will be able to launch PCS jar files even if the certificate expired but were signed
certificate used for signing jar files when the certificate had a valid timestamp.
has expired.

Fixed Issues in 8.2R3 release

The following table lists issues that have been fixed and are resolved by upgrading to this release.

Problem Report Release Note

Number

In the admin UI, longer role names are not completely visible under available roles on resource policy
PRS-338476
page.

PRS-339141, PRS- Enabling Suite B or PFS option causes some clients fail to connect to PCS. Known clients that fail to
338701, PRS-339321, connect include but not limited to the following: Network Connect client, Pulse Collaboration client, WSM
PRS-339405, PRS- client, VDI client, Host Checker, WTS client and Pulse Mobile Android version 4.4.4. A warning will be
339133, PRS-339161 added in the future on the configuration page to alert admin of the potential.

© 2016 by Pulse Secure, LLC. All rights reserved 9

 Pulse Connect Secure Release Notes

Problem Report Release Note

Number

PRS-339254 3072 bit is shown erroneously as one of the possible key length for certificate.

PRS-339328 FIPS ON Mode allows RC4 Ciphers in TLS1.1 and TLS1.2 Custom Settings.

On Windows 10, unable to launch previous component (prior to 8.2) when 8.2 Installer Service is
PRS-339024
installed.

If you download Pulse 5.2 package from the my.pulsesecure.net site, then upload it to your PCS, then
make it your active version, then browse to: Maintenance > System > Installers and attempt to download
PRS-336902
either the Windows or Mac Pulse installer, you will see a blank white page and no client installer will be
downloaded.

PRS-340498 Citrix listed Apps are not launching with IE and FF

PRS-340349 CTS custom ICA bookmark with SSO does not work

PRS-340253 NC service not starting after upgrading from 7.1R2

PRS-339600 Domain name parameter is not passed for WTS after upgrading to 8.2R1.1

PRS-337893 Remote App is not launching when the "Launch seamless window" option is set on WTS bookmark

PRS-337999 Support for configuring RDP with custom port

PRS-336856 Suppressing the certificate warning for the WTS

Non authenticated users were unable to join meeting with "Edge" and "Chrome" browser in absence of
Pulse Secure Application Launcher already installed on the PC.
PRS-338691
Workaround:
User can manually download and install Pulse Application Launcher from the meeting-join page.

Problem:
Pulse Connect Secure gateways version 8.2 and later are unable to web-deploy version 5.1 and earlier
Pulse Secure desktop clients.
Symptoms:
When attempting to web-deploy a pre-5.2 Pulse desktop client from an 8.2 PCS gateway, the end user's
web browser will hang on "Launching Pulse Secure".
PRS-337378
Workaround:
There are a number of recommended workarounds:
1) Install the Pulse Secure 5.1RX client using the MSI file, then connect to 8.2R1. This could be done
either by manually invoking the MSI file, or, by leveraging a software distribution system like SMS.
2) Connect to a 8.1RX PCS gateway and get Pulse 5.1RX web deployed, then connect to an 8.2R1
gateway after deployment.

© 2016 by Pulse Secure, LLC. All rights reserved 10

 Pulse Connect Secure Release Notes

Known Issues in 8.2R3 release

The following table lists Known issues in 8.2R3 release.

Problem Report Description

Number

In admin UI, "Allowed servers (and ports)" configuration from "Role | SAM | Applications | WSAM
Allowed Servers" page, allows incorrectly formatted "server-port" values to be saved. When this
PRS-340573
incorrect configuration is exported (XML) from one appliance and tried to import on the other appliance,
import operation will fail due to the incorrectly formatted "server-port" values.

PCS-3384 Admin Log not updated when multiple monitor option is enabled/disabled

HTML5 RDP If you have switched you primary and secondary mouse clicks of the mouse, HTML5
PRS-340760
access feature does not recognize these changes.

While using the floating toolbar for HTML5 access feature, you may notice a small black strip on the
PRS-340765
extreme right side of the browser. Moving the floating toolbar to the left will render it properly.

Chrome browser does not go to home page automatically after user clicks on Terminal Service
PRS-339514
bookmarks. As a workaround, user need to manually click the link provided to go to home page.

Symptom:
PCS does not send syslogs to remote syslog server
Conditions:
1) Management port is enabled on the PCS.
2) PCS connects to Remote Syslog Server through management port.
PRS-339296
3) Admin disables management port.
4) PCs is expected to send traffic through internal port. However, it does not.
Workaround:
Make changes in any of the syslog server entries (eg. change facility or connection type). This should
trigger the PCS to re-establish the connection with the Syslog Server, and start sending syslogs.

Symptom: Cache cleaner doesn't clean up the Recycle bin and the folder data when we sign in and sign
out from IE browsers
Conditions:
PRS-341030
1) Create a cache cleaner policy to empty the recycle bin and custom folders
2) From the endpoint, connect to PCS from IE browser and then sign out.
3) Cache cleaner doesn’t clean up the Recycle bin and the custom folders

Symptom:
Guest OS name shows as Other Linux(32bit) for VA-SPEs deployed on VMware ESXi
Conditions:
PRS-334398 PCS running pre-8.2 and deployed on VMware ESXi, and upgraded to 8.2.
Workaround:
It is only a display issue. Kernel would be upgraded to 64-bit after upgrade to 8.2.
Freshly deployed VA-SPE using 8.2 OVF will not exhibit this issue.

© 2016 by Pulse Secure, LLC. All rights reserved 11

 Pulse Connect Secure Release Notes

Problem Report Description

Number

Symptom:
PCS does not send syslogs to remote syslog server
Conditions:
1) Management port is enabled on the PCS.
2) PCS connects to Remote Syslog Server through management port.
PRS-339295 3) Admin disables management port.
4) PCs is expected to send traffic through internal port. However, it does not.
Workaround:
- Make changes in any of the syslog server entries(eg. change facility or connection type). This
should trigger the PCS to re-establish the connection with the Syslog Server, and start sending
syslogs.

When Suite B is enabled, only ECC ciphers were enabled. At this point, ECC certificate must be
configured for all ports, including internal ports. If RSA certificate is configured for internal port by
PRS-340481 mistake, this prevents any connections to PCS, including watchdog connection. Because
Watchdog fails to connect to webserver, it thinks webserver is unresponsive thus restarts
webserver.

Cache cleaner does not perform the cleaning when user signs out from IE browser. If user
PRS-341029
connects and signs out from PCS again, then the cleaning is performed.

When CC Proxy with NTLM authentication is configured with domain\user, user will not be able to
PRS-338642
access resources via JSAM.

Pre-5.0 Android and pre-9.1 iOS devices don’t support Suite B ciphers. So if Suite B
PM-1972 is enabled, Pulse client on pre-5.0 Android and pre-9.1 iOS devices will not be able
to connect to PCS device.

PRS-339052 PPS granular cipher: 8021.x is not honoring SSL settings configured in admin UI.

Symptom:
XML Import of User Realm fails, if User-agent-pattern contains starting or trailing whitespaces
Workaround:
1. If user agent has a trailing space, add a leading space also.
PRS-339434
2. If user agent has a leading space, add a trailing space also.
This will ensure the XML import goes through.

This will not be seen if the user-agent-pattern does not have any trailing/leading
spaces also.

The PSAL client installed in previous release (before 8.2R3) doesn’t support Suite B or PFS
ciphers, thus auto-upgrade to 8.2R3 doesn’t work. If user had PSAL clients installed, there are two
PRS-340387 options:
1. Do not enable PFS or Suite B ciphers until all users upgraded PSAL to 8.2R3 version.
2. User must download PSAL from a 8.2R4 PCS device and install manually.

© 2016 by Pulse Secure, LLC. All rights reserved 12

 Pulse Connect Secure Release Notes

Problem Report Description

Number

In the situation that “weak ciphers not allowed” option is disabled before upgrading to 8.2R3,
configuration is exported before any update to the ciphers, this exported configuration would fail to
PRS-341306
be imported again later. To work around this issue, 1) make a modification on the cipher selection
page; or 2) manually update the value of “weak ciphers not allowed” in XML file to be enabled.

PRS-339683 Cloud Secure dashboard is not displaying failed App details.

PCS-4045 HTML5 Error messages which get displayed after session disconnect are not localized.

When launching HC on MAC using the safari browser, at times if PSAL download prompt is looping then
PRS-341427
kill the PSAL process and launch the HC again

End users logging in from Firefox ESR browser using java delivery (Firefox version 45 and above + Java
8 Update 91) will see prompt to save Setup Client Installer if Host Checker is configured. They can
PRS-341379
save and cancel the installer file and click on the link “Once java is installed and enabled, please Click
here to continue” for continuing the login.

If a user with restricted permissions creates a Secure Meeting and attempts to allow a remote user to
PRS-340749 control a window associated with privileged process (the “Grant Control” function), the remote user will
not be able to manipulate that privileged window.

© 2016 by Pulse Secure, LLC. All rights reserved 13

 Pulse Connect Secure Release Notes

New Features in 8.2R2 release

The following table describes the major features that are introduced in 8.2R2 release.

Feature Description

This Pulse Secure Linux Client feature is to support java-free host checking functionality on
Linux. Pulse Secure Linux Client checks endpoint properties for file, process and port rule
Linux command line client
types to allow access to protected resources. Pulse Secure Linux Client. Host Checker
Host Checker
functionality complies with the standards produced by the Trusted Network Connect (TNC)
subgroup of Trusted Computing Group.

The 8.2r2 Pulse Connect Secure gateway now supports custom sign-in pages for the Pulse
Secure desktop client. (Previously, custom-sign-in pages were supported only for the
Network Connect client.) Custom sign-in pages allow for the creation of HTML authentication
Custom Sign-in Page and password-management screens to provide customized localization, online help, error
messages, server redirection, and page styles using CSS (cascading style sheets). This new
support for the Pulse desktop client is identical to that of the custom-sign-in-page support in
the Network Connect client.

VMWare Horizon view

In this release, user can launch virtual desktop using Horizon view client 2.x or 3.x
client 2.x and 3.x support

Fixed Issues in 8.2R2 release

The following table lists issues that have been fixed and are resolved by upgrading to this release.

Problem Report Release Note

Number

PRS-322363 Webserver process restarts under heavy load.

The user access log may show a mismatched logged in username between ActiveSync user and PCS
PRS-329411
username.

PRS-331805 Online help for Network Connect on MAC OSX is missing.

For Network Connect and Pulse VPN users, if a user session ends during a DHCP renew transaction, a
PRS-332212
process crash may occur causing IP addresses to not be provisioned from the DHCP server.

PRS-333721 The Network Connect GINA tile is not present on Windows 10 clients.

PRS-334156 Improved Pulse One related error messages in the event log.

When using the following rewriter settings, a POST request results in an Internal Server Error:
PRS-334161 Unrewritten pages open in new window
Action = Don’t rewrite (with redirect)

© 2016 by Pulse Secure, LLC. All rights reserved 14

 Pulse Connect Secure Release Notes

Problem Report Release Note

Number

While connecting from Pulse client after session resumption, realm information is missing from user
PRS-335285
access logs.

PRS-335517 System snapshot failing intermittently from serial console, whereas it works fine through the admin UI.

The configuration XML that is uploaded to Pulse One is not consistent, causing Pulse One to see
PRS-336161
configuration changes or conflicts which do not actually exist.

Internal error seen when saving changes under User Roles --> Files --> Options page for Roles with
PRS-336255
Files options disabled

PRS-336378 When using the rewriter, uploading attachments in Lotus Notes 9 fails when using Internet Explorer.

XML Import of LDAP Server duplicates the user-attributes. This issue can cause issues with Pulse One
PRS-336944
being out of sync with the master appliance.

PRS-337120 When VLAN/source IP is set on the role, accessing protected resources fails.

PRS-337315 XML import fails when Pulse One tries to distribute a SAML authentication server.

PRS-337334 User attributes in the hostname/IP field for HTML5 RDP bookmarks is not supported.

PRS-337496 Registering with Pulse One may result in slow memory leak.

PRS-337742 Options in user role and XML schema for HTML5 Access are missing.

PRS-337752 Unable to connect with Windows Terminal Services (WTS) using a custom port (other than port 3389)

Google font style (Oxygen) used in the new admin interface requires the device to have access to the
PRS-337870
Internet.

PRS-337911 Pre-authentication sign-in notification appears twice when custom sign-in page are used.

VPN users that are mapped to roles which are configured with ACLs containing IP ranges are unable to
PRS-337924
establish a VPN tunnel.

PRS-338062 PCS shows a blank page with "Content-type: text/html" during login.

© 2016 by Pulse Secure, LLC. All rights reserved 15

 Pulse Connect Secure Release Notes

Known Issues in 8.2R2 release

The following table lists Known issues in 8.2R2 release.

Problem Report Description

Number

If a system configuration file that does not contain Pulse One registration data is imported into a PCS
PRS-339822 appliance that is registered with Pulse One then the resulting appliance will not be registered with
Pulse One but will have Pulse One related processes running. These extraneous processes can
impact performance on the device. We therefore recommend that you Clear Configuration on the Pulse
One Settings page in the admin console before importing the system configuration file.

Active VDI sessions are not listed in SA admin "Active Virtual Desktop Sessions" if end user connects
PRS-338204
with Horizon view client 2.x or 3.x

Users are unable to connect to multiple VDI or Terminal Service bookmarks when logged in using the
PRS-338370
Chrome browser.

PRS-338646 With View 3.x client users are not able to enter valid credentials if SSO fails.

View client 3.x fails to launch virtual desktop if proxy is configured in client machine.

PRS-338270 This is a VMWare Limitation. Here is the KB from VMWare:

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=208996
9

User access log records the connection broker IP rather than the desktop IP in the successful
PRS-338277
connection message.

The Pulse desktop client does not honor the idle-session timeout in ESP mode when the idle-session timeout is
PRS-331861
greater than 16 minutes.

The VMware View client fails to be installed when the following is true: Firefox or Edge browser is used
PRS-338197
AND the delivery option is configured as “Access the URL through the Pulse Connect Secure”.

PRS-338362 An SSL error may be seen after clicking on a VDI bookmark when using VMware View 3.x.

A PCS or PPS with the IVS license installed is unable to connect to Pulse One. The license cache may
PRS-335995 need to be reset by importing a system.cfg without an IVS license in order to successfully register the
appliance with Pulse One.

PRS-337815 The Pulse Secure client for Linux does not support periodic Host Checker updates.

PRS-335901 Pulse Linux client does not support Multi-Factor Authentication (MFA).

PRS-338860 Pulse Linux client does not support client certificate authentication.

© 2016 by Pulse Secure, LLC. All rights reserved 16

 Pulse Connect Secure Release Notes

Problem Report Description

Number

PRS-337981 Pulse Linux: Pulse Client does not print any error when user attempts to establish duplicate tunnels.

The VPN clients on Linux, both the 64-bit Pulse Linux client and the 32-bit Network Connect client, do
PRS-336407
not support configurations where the proxy is placed between PCS and protected resource.

PSD-1177 Pulse Secure client for Linux does not utilize the system proxy settings.

PRS-337937 Pulse Secure client for Linux shows does not disconnect after uploading logs to the PCS gateway.

The Pulse service used by the Pulse Secure client for Linux does not stop automatically if the tunnel is
PRS-337741
destroyed due to network connectivity failure.

The Pulse One configuration settings were part of user settings until 8.1R6 of PCS; and from 8.1R7 of
PCS these settings are part of the system settings. The Pulse One configuration settings will be
PRS-336136
overwritten when a user settings configuration from 8.1R6 or lesser version, is imported to 8.1R7 or
higher. XML import of Pulse One configuration settings are not affected by this change.

Fixed Issues in 8.2R1.1

The following table lists issues that have been fixed and are resolved by upgrading to 8.2R1.1 release.

Problem Report Release Note

Number

When using the new admin UI and there is more than one page of role mapping rules, clicking “Save
PRS-337308
Changes” causes some rules to be removed without log messages.
On 32-bit Windows machine, users received "An authentication error has occurred" error message when
PRS-337010
launching Windows Terminal Services bookmark if admin enabled Windows Terminal Services client
logging.
PRS-336843 Source IP Restrictions do not activate as expected.

A new feature in 8.2r1 shows a warning in the Admin UI if the insecure RC4 cipher is enabled. This new
feature does not properly detect when RC4 is enabled when hardware acceleration is turned on. If
PRS-335501
hardware acceleration is not enabled, or the device does not have the hardware accelerator installed,
the feature works as expected.

PCS (part of A/A cluster) that is registered, connected with Pulse One, may cause a cluster split
PRS-336158
(possibly after a long run).

On the Admin login page with multiple realm selection option, the first realm selection is not reflected on
PRS-331800 UI but it does login to the selected realm. User can clean the browser history to overcome this UI
behavior.

Remote desktop protocol (RDP) client restriction bypass issue. Please see
PRS-337032
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40166 for more details.

© 2016 by Pulse Secure, LLC. All rights reserved 17

 Pulse Connect Secure Release Notes

New Features in 8.2R1

The following table describes the major features that are introduced in 8.2R1 release.

Feature Description

Due to the end of ActiveX and Java support on many browsers, an alternate solution is provided in this
release for the proper launching of client applications such as Pulse Desktop Client.
Pulse Secure
This release uses a custom URL, pulsesecure://, to deliver and launch client applications. When
Application Launcher
invoked, the custom URL will automatically trigger new application – Pulse Application Launcher.
(replacement for
The Pulse Application Launcher has the ability to accept the parameters from the user’s browser and
NPAPI)
launch the client application.
This solution currently works on Chrome on Windows OS and Safari on Mac OS X.

iOS Support for

accessing
RDP/Telnet/SSH In this release, users can access remote sessions using iOS.
sessions using a
HTML5 browser

IPv6 SNMP Support PCS can send and receive SNMP alerts via IPv6 interface configured at the trap server.

Update “Last VPN The “Last VPN Connect” attribute in LDAP is updated when a user logs in. Admins can then run
Connect” time "reaper" scripts against their Active Directory and remove users that may not have logged in since "X"
attribute in LDAP number of days.

Windows 2012 R2
Windows 2012 R2 is now qualified with Pulse Connect Secure 8.2 software (auth only).
Support

RSA Auth Manager

RSA Auth Manager is now qualified with Pulse Connect Secure 8.2 software.
8.1

Network level
authentication support Windows Terminal Services (WTS) now supports Microsoft’s Network Level Authentication.
for WTS

© 2016 by Pulse Secure, LLC. All rights reserved 18

 Pulse Connect Secure Release Notes

Feature Description

Description
 Users can launch RDP, Telnet, and SSH sessions via admin-created bookmarks.
 Single sign on and NLA (Network Level Authentication) is supported by default.
 Admin can configure screen resolution, color depth, DPI and additional settings as outlined in
the admin guide when creating the bookmarks.
 Users can transfer files from local machine to the remote machine and vice versa.
Support for accessing o If the admin has enabled it, a special G:\ drive is available in the remote machine.
RDP/Telnet/SSH This drive contains a folder called "Download". Any files dropped in this folders are
sessions using automatically transferred between local and remote machines.
HTML5-compliant  Users can copy and paste text from local machine to remote machine and vice versa
browsers o Users can bring the clipboard access screen to the foreground by clicking on Ctrl +
Alt + Shift. This will automatically include clipboard data that exists in the remote
machine...to be transferred to the local machine.
Supported Operating Systems
 The solution works on all supported browsers (Internet Explorer, Safari, Chrome) that run on
desktop operating systems such as Windows, OS X and Linux.
 The solution works on Android OS and iOS.

The PCS administration web UI look and feel has been redesigned to improve the user interface
experience. In PCS 8.2 release, user will have option to choose new user interface or switch to the
classic user interface. The default UI is the new user interface. To use this new web UI, the PCS
UX admin revamp
device must be connected to the external network. If the PCS device does not have connectivity to the
external network, then the new user interface cannot be used and the classic user interface must be
used.

Citrix Xen 7.6,

Citrix XenApp 7.6 and StoreFront 2.6 & 3.0 is now qualified with Pulse Connect Secure 8.2 software.
StoreFront 2.6 & 3.0

VMWare Horizon
VMware Horizon View 6.0.1, 6.1 & 6.2 HTML 5 access is qualified with Pulse Connect Secure 8.2
View 6.0.1, 6.1 & 6.2
software.
HTML5 access.

When a certificate has expired or is about to expire, there is currently no notification available to the
admin to take corrective or preventive action to renew certificates. The “Certificate Expiration Warning”
Certificate expiration
feature provides the admin with a warning at the time of login. Also, the admin can query the
warning
certificates about to expire in a configured number of days for the type of certificates that are of
interest.

Windows 10 support Microsoft’s latest Windows release, Windows 10, is qualified with Pulse Connect Secure (Only IE 11
browser).

OCSP logging With the Online Certificate Status Protocol (OCSP) Logging Enhancement feature, the admin will be
able to see the username, OCSP responder IP address and certificate serial number in the OCSP logs.
With this information, the admin will be able to debug any OCSP related issues by correlating Connect
Secure user access logs and logs from OCSP responders. In addition to that, admin will be able to filter
all the OCSP related logs for a particular user for debugging OCSP related issue related to that user.

© 2016 by Pulse Secure, LLC. All rights reserved 19

 Pulse Connect Secure Release Notes

Feature Description

AES is preferred over

RC4 AES is a preferred cipher over RC4. Ie. If a client that supports both AES and RC4 connects to PCS,
AES is used.

RC4 Warning A new feature in 8.2r1 shows a warning in the Admin UI if the insecure RC4 cipher is enabled. This
new feature does not properly detect when RC4 is enabled when hardware acceleration is turned on. If
hardware acceleration is not enabled, or the device does not have the hardware accelerator installed,
the feature works as expected.

Known Issues in 8.2R1

The following table lists Known issues in 8.2R1 release.

Problem Report Description

Number

When a two node SM-360 cluster is subjected to high load (approximately 17,000 users), the clustering
process on one of the nodes is unable to communicate to the other leading to a cluster split and rejoin.
PRS-339416
In such situations, our recommendation is to reduce the load against the cluster by splitting the cluster
into individual standalone devices or by distributing the load across multiple clusters.

In Chrome browser, User is presented with 'Application launcher not installed' page twice when Host
PRS-328634 Checker is enabled along with auto launch of applications such as pulse desktop client or WSAM, This
is due to Chrome issue https://code.google.com/p/chromium/issues/detail?id=468698
Custom Statement-of-Health policies will not function properly on Windows 10 because of Microsoft's
phasing-out of support for the NAP (Network Access Protection) plugin. As such, if you have such a
PRS-330443 policy enabled (to verify, go to the PCS/PPS admin console and look under Authentication->Endpoint
Security->Host Checker Policy->Windows->Rule Settings->"Custom: Statement of Health"), then you
must disable it for all Windows 10 users.

PRS-335517 System snapshot failing intermittently from serial console. Taking snapshot from admin UI works fine.

For Host Checker with Bit Locker Encryption software, the encrypted drives will be reported as
PRS-318679
encrypted only when these drives are in Unlocked state.

With OPSWAT Patch Management Host Checker policy, the missing patches will be detected only with
PRS-309431
admin privileges for SCCM 2012 and SCCM 2007

The Pulse Application Launcher, which assists in the launching of Pulse clients from web browsers,
PRS-336183 displays text in Traditional Chinese when run a Simplified Chinese locale. There is no workaround at
this time to get Simplified Chinese displayed by the Pulse Application Launcher.

In order to make localization work properly for pulse client side applications on Windows platforms, end
PRS-336129 user needs to set correct language for non-Unicode programs under "Control Panel"->"Clock,
Language and Region"->"Region"
On a fresh Windows 10 machine, Network Connect might fail to establish a tunnel for the first time. An
PRS-333621
error message is shown (“timeout" error message). Subsequent tries work fine.

© 2016 by Pulse Secure, LLC. All rights reserved 20

 Pulse Connect Secure Release Notes

Problem Report Description

Number

Symptom: Restricted users cannot upgrade the Pulse Secure desktop client.
Conditions: On a Windows machine, if an end user who has restricted permissions (as opposed to
administrative permissions) attempts upgrade the Pulse Secure desktop client from a pre-5.2 version to
a 5.2-or-later version using a web browser, the upgrade will fail with the message "You do not have the
proper privileges to install the application."
PRS-335317 Workaround: There are a number of ways to avoid this issue. The best way is to initiate the upgrade of
the client by launching the client and connecting to the upgraded Pulse Secure gateway (as opposed to
launching a web browser and connecting the web browser to the gateway). This client-initiated
upgrade will complete as expected - it is only web-based upgrades that will not function. An alternative
workaround would be to give the end user administrative privileges before attempting the web-based
upgrade
During the uninstall of the Network Connect (NC) client under certain circumstances on Windows
PRS-334329
machines, end users may be presented with a User Access Control (UAC) prompt.

On OS X, logging out of the user UI may display "Stopping components..." in the browser. Refresh the
PCS-2785
page to log in again.

On OS X, file transfer, when using the new HTML5/RDP feature, does not work when using Safari. The
PCS-2787
workaround is to use Chrome instead.

File transfer (using the new HTML5/RDP feature) does not work if "Disable Audio" option is un-
PCS-2789
checked.

PCS-2790 RDP session through IE11 doesn't play audio since audio codec is not supported.

If printing is enabled, it may allow users to transfer some file types (when using HTML5/RDP feature),
PCS-2791
even if file transfer is disabled.

When encryption is configured for "Standard RDP Encryption" or "TLS Encryption" then Username
PCS-2792 should be configured as <DOMAIN Name>\<Username> and not just <Username>. This is mainly
applicable for servers that are joined to a domain.

On iOS File transfer to/from RDP machine through the Safari Browser does not work. The workaround
PCS-2850
is to use the Chrome browser.

PCS-2851 On iOS, the remote sessions using HTML5/RDP do not include sound.

PCS-2883 Cannot use a variable in the Host Name entry for HTML5/RDP feature.

PRS-332326 Client certificate based authentication using ECC Certificate doesn't work in Safari Browser.

Client certificate authentication doesn't work in Safari Browser when LDAP Server is configured as
PRS-332372
Authentication server along with Certificate based Realm Restriction.

The Certificate Expiration Warning feature will automatically start reporting certificates about to expire 7
PRS-335105 days after installing (or upgrading to) this version. If you need to find out the expiration status
immediately after an install (or upgrade) click on the “Check Now” button.

PRS-335115 Broadcast IP packet through a tunnel from an external client is not forwarded to the backend network.

© 2016 by Pulse Secure, LLC. All rights reserved 21

 Pulse Connect Secure Release Notes

Problem Report Description

Number

IPSEC Compression is not available for tunnels formed with 8.2 PCS gateway. IPSEC Compression
PRS-331687 checkbox is removed from the Connection Profiles Web UI page. Customers who has existing configs
with IPSEC Compression will find that tunnels are negotiated with no compression in 8.2.

A new feature in 8.2r1 shows a warning in the Admin UI if the insecure RC4 cipher is enabled. This
new feature does not properly detect when RC4 is enabled when hardware acceleration is turned on. If
PRS-335501
hardware acceleration is not enabled, or the device does not have the hardware accelerator installed,
the feature works as expected.

A "500 internal error" is seen when saving changes under User Roles --> Files --> Options page (only
PRS-336255 for Roles with Files options disabled). Issue is seen with new roles created and not with default Users
Roles.

On the Admin login page with multiple realm selection option, with chrome browser the first realm
PRS-331800 selection is not reflected on UI but it does login to the selected realm. User can clean the browser
history to overcome this UI behavior.

On end-user Mac machine, for browser base connections the debug log file is not created if the pulse
PRS-336684 client is not installed on the Mac machine. For troubleshooting purpose the pulse client would need to
be installed on the mac machine.

If multiple realms along with host checker policies are configured for sign-in url, “Endpoint Security
PRS-336333
Status” on Active Users page is shown as “Not Applicable”

Console Protection authenticates with users created in Default Network even when IVE is functioning
PRS-316786
in Administrative Network

SA (part of A/A cluster) that is registered, connected with PulseOne, may cause a cluster split (possibly
PRS-336159
after a long run).

The OCSP Responder URL gets updated in Root CA rather than in Sub CA when Client is
PRS-331122 Authenticated using Certificate Issued from Sub CA which is configured for "Inherit from Root CA"
mode.

PRS-337120 When VLAN/source IP is set on the role, access intranet resources fails.

When launching clients from the browser, a blank page might be seen with “Content-type: text/html”
PRS-337425
before the launch of the client. This blank page will disappear and the client will launch successfully.

Zero downtime for end users during an upgrade of an Active-Active or Active-Passive cluster is not
PRS-337686 available when upgrading from an older release to either 8.2R1 or 8.2R1.1. Post upgrade, the end
users that were connected prior to the upgrade will have to re-authenticate to the PCS device.

© 2016 by Pulse Secure, LLC. All rights reserved 22

 Pulse Connect Secure Release Notes

Problem Report Description

Number

As described in the “General Notes” section of this document (search for “SHA-2”), PCS client access
binaries in 8.2R1.1 and later are code-signed with SHA-2 certificates in order to meet new restrictions
enforced by Microsoft operating systems in 2016. This new code-signing feature causes certain
issues with older versions of Windows 7. Specifically, versions of Windows 7 that have not been
patched since March 10, 2015 will not be able to load certain drivers and executables signed with SHA-
2. These unpatched versions of Windows 7 will experience the error “An unexpected error occurred”
when trying to run WSAM. Users’ log files will contain the message:

PRS-337311 “The Juniper Networks TDI Filter Driver (NEOFLTR_821_42283) service failed to start due to
the following error:

Windows cannot verify the digital signature for this file. A recent hardware or software
change might have installed a file that is signed incorrectly or damaged, or that might be
malicious software from an unknown source.”

The workaround for this issue is to update the Windows 7 operating system to include the March 10,
2015 patch that allows for the loading of SHA-2-signed binaries and drivers.

Fixed Issues in 8.2R1

The following table lists issues that have been fixed and are resolved by upgrading to 8.2R1 release.

Problem Report Release Note

Number

PRS-316902 Wi-Fi profile with EAP-TTLS can't be configured on Windows 7 client.

PRS-296395 Pulse collaboration is not working correctly with native Mac Book Air 11” resolution 1366x768.

After Windows client onboarded, modifying the Pulse connection set on SA is not reflected on Windows
PRS-316775 client. Re-onboard on Windows client doesn't refresh Pulse connection set either. -- add more detail
about how to get the new Pulse connection set onto Windows client.
License client pulls license count from license server, the client's event log mistakenly shows the license
PRS-319000
count as its user count. The actual user count in system is correct.
In a 2 node cluster, delete all licenses from both nodes, re-import a previously exported config into one
node, parevntd crash was observed, but import completes successfully, pareventd restarts automatically
PRS-318766
and continues without an issue. If only deletes all the licenses for one of the node, dsparevent didn't
crash. The crash was because the cache was not in sync.

Problem: Accessing VMWare Horizon View HTML5 Access 6.0.1, 6.1 and 6.2 via PCS Rewriter throws
PRS-331722
blank Screen.

Going through the huge list of Trusted server CAs to identify expired certificates is tedious so a new filter
PRS-331732
is added in trusted server CA page to show only the expired certificates.

© 2016 by Pulse Secure, LLC. All rights reserved 23

 Pulse Connect Secure Release Notes

Documentation
Pulse documentation is available at https://www.pulsesecure.net/techpubs/

Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the
documentation.
You can send your comments to [email protected].

Technical Support
When you need additional information or assistance, you can contact “Pulse Secure Global
Support Center (PSGSC):

• https://www.pulsesecure.net/support

• [email protected]

• Call us at 1- 844-751-7629 (toll-free USA)

For more technical support resources, browse the support (website
https://www.pulsesecure.net/support).

Revision History
The following table lists the revision history for this document.

Revision Description

6.0 August 2016 8.2R4.1 update

5.0 June 2016 8.2R4 update

4.0 May 2016 8.2R3 update

3.1 April 11, 2016 Added PRS-339416 under known issues of 8.2R1

3.0 April 1, 2016 8.2R2 update

2.0 February 2016 8.2R1.1 update

1.0 January 7, 2016 Initial publication – 8.2R1

© 2016 by Pulse Secure, LLC. All rights reserved 24